Johannes Ullrich at SAN’s Internet Storm Center writes:
Thanks to our reader Glenn for alerting us of this scheme: He received an automated phone call, telling him that his ATM card has been deactivated. The system then offered him to re-activate it. He didn’t fall for it, and instead called his bank. His bank told him that they had multiple reports like that, and the calls are false.
- first of all, the bank should somehow identify itself by telling you something only they know. Your account number maybe?
- better: call them back at a listed number. Do not ask them what number to call. Usually, the fraudsters will use an automated system to call you, not a human (but they may).
- never provide confidential information like account numbers, social security numbers, PINs, passwords over the phone.
This is something to consider in your own customer service and information security training programs as well as “educate your customers”